-
Notifications
You must be signed in to change notification settings - Fork 687
Sprint Planning Meeting 2020 01 22
What we said we would do:
- SecureDrop Workstation: Implement enforced updates of critical system components in a manner that meets security and usability requirements for beta
Sprint goal partially met:
-
PR #396 merged. It provides a guided, graphical update process as part of launching the client.
-
Recommended high priority follow-up tweaks:
- Instruct user to shut down long-running workstation: https://github.com/freedomofpress/securedrop-workstation/pull/389 (started by @pierwill, needs help)
- Don't launch updater when not needed: https://github.com/freedomofpress/securedrop-workstation/issues/402
- Fix progress bar (stalls at 100% as VMs are rebooted): https://github.com/freedomofpress/securedrop-workstation/issues/411
- Remove cron job (R.I.P.)
- To consider: https://github.com/freedomofpress/securedrop-workstation/issues/416
- To consider: https://github.com/freedomofpress/securedrop-workstation/issues/415
-
SecureDrop Workstation: Prepare release management infrastructure for a first beta release
Sprint goal partially met:
-
Wheel storage migrated to git-lfs: https://github.com/freedomofpress/securedrop-debian-packaging/pull/124
-
Version increment script added: https://github.com/freedomofpress/securedrop-workstation/pull/404
-
Nightly RPM builds close to landed: https://github.com/freedomofpress/securedrop-debian-packaging/pull/129
-
Proposal for re-organizing Makefile targets to enable prod builds: https://github.com/freedomofpress/securedrop-workstation/issues/406
-
Ongoing discussion re: signing story, need for submodules
-
RM Guide started in GDoc
-
SecureDrop Workstation (Client): Implement continuous background syncs and consistent network error handling
Sprint goal partially met:
-
PR to significantly improve sync performance in client merged: https://github.com/freedomofpress/securedrop-client/pull/709
-
Timing data for API endpoints gathered: https://github.com/freedomofpress/securedrop-client/issues/648
- This led to identification of quadratically scaling compute heavy
get_sources
API endpoint - Two line fix in SecureDrop Core ready for review: https://github.com/freedomofpress/securedrop/pull/5100
- This led to identification of quadratically scaling compute heavy
-
PR for prioritizing user actions merged: https://github.com/freedomofpress/securedrop-client/pull/708
-
PR for moving syncs to their own queue ready for review:
-
Icons and screens for new sync behavior completed: https://github.com/freedomofpress/securedrop-ux/issues/97#issuecomment-576049307
Additional accomplishments:
- Show/hide password feature: https://github.com/freedomofpress/securedrop-client/pull/679
- Preview snippets in source list: https://github.com/freedomofpress/securedrop-client/pull/698
- Still has lag issues: https://github.com/freedomofpress/securedrop-client/issues/707
- HTML escaping issues fixed in placeholders, messages, replies, snippets:
- Messages, replies: https://github.com/freedomofpress/securedrop-client/pull/703
- Snippets: https://github.com/freedomofpress/securedrop-client/pull/720
- Transitioned to new VM naming scheme: https://github.com/freedomofpress/securedrop-client/pull/701
- Other big changes are really close:
- rsyslog usage in securedrop-log & across repos
- print/export design close to spec, including security warnings, new in-client "export successful" message: https://github.com/freedomofpress/securedrop-client/pull/666
- download/decryption activity indicator
- conversation view updates
Other comments/observations:
-
What went well:
-
Erik rules at thoughtful remote guidance for non-technical Qubes reprovisioning.
-
Appreciated the guidance for priorities.
-
Getting (re) familiarized with the code base was good.
-
Good supportive / collaborative feels.
-
Also, Allie's show and tell about queues was super duper useful. Thanks..!
-
Found lots of bugs and feel like we are prioritizing them well for next sprint
-
We are doing a good job avoiding scope creep
-
Discussion on PR feedback, on github and also in direct chats. (Kushal)
-
Gosh golly, what an updater we have now!
-
Good collaboration between UX & security for 11th hour changes (updater is fine example)
-
In-depth discussion about prod workflows, particularly around signing
-
Shout-out to Nick & Kushal for super friendly pip messaging =)
-
nice communication with upstream(s), esp re Qubes and pip issues! (ro)
-
great job as team resolving different opinions and choosing a path forward on non-trivial changes (eg updater, vm names) (ro)
-
Merged several major changes to the workstation at the same time (+1 Conor)
-
-
What we can improve:
- Unclear which PRs go towards the main sprint goals: perhaps we can improve PR labelling to indicate which PRs are critical towards sprint goals (or workstation pilot) and those which can sit there. - I found myself accidentally picking up tickets from the wrong column. I realise that this is *my* fault, but the board is a bit of a "beast" to quickly grok IYSWIM (If you see what I mean). More speed, less haste on my part.
- Let's do a quick PM chat the next couple days
-
What's still a puzzle:
- how to schedule cross timezone collaboration. Currently "by chance".
-
Do folks find it valuable to use GitHub (self-)assignments more? If so, we can start making a habit of it (would have to tweak permissions - I can't assign things to myself for example)PR self-assignments for review great to avoid duplication of effort.
- Not sure I have permissions to update board (e.g. self-assign). OK.. will poke. ;-)
- ACTION: Let's try more consistently self-assigning when moving things to "In dev"
-
Best way for non-SDWS contributors to stay abreast of workstation changes, happenings, bugs/workarounds and issues from a support perspective (ro - biased perhaps because I missed yesterday's meeting)
-
How are we planning to upgrade dom0 when Fedora 31 based Qubes coming out? We need a plan in place for this. (there's also 4.0.3 testing -- 4.0.2 was pulled recently due to install issues on certain hardware) We should have a recco for a backup strategy for the workstation - this might make major Qubes upgrades easier if folks could just reinstall and restore VMs (though dom0 config might not be preserved?) https://github.com/QubesOS/qubes-issues/issues/5529 -- this is the issue to track
2020-01-27 to 2020-01-29: Conference: Conor and Jen (USENIX ENIGMA, San Francisco)
2020-01-31 : Travel: Jen
2020-01-27+ : Travel: Nina (in NYC all day 28th); in Brussels all that week, in Berlin all the following week
2020-01-30+ : Conferences, Nina at Sustain (Thurs 30) & FOSDEM (Feb 1-2); meeting/co-working with Qubes team 5th-7th
There have been a very small number of commits since SecureDrop 1.2.0. SecureDrop 1.3.0 - if we try to pull it off - could look like this:
2020-01-30 : Cut RC1 and do round of hardware/VM testing
2020-02-04 : Pre-release announcement, abbreviated QA period
2020-02-11 : Release
Action: Review what's landed in develop
so far, decide whether to just do a point release for now
Time check: https://docs.google.com/spreadsheets/d/1kHGCB-qvu7UMOi9wDKWW-6dut0NJIhVrXZCr6cjQrxY/edit#gid=0
Proposed:
-
Finish work-in-progress and critical bug fixes for pilot. That includes:
- continuous sync
- updater follow-up, removal of cron job
- logging
- Makefile refactor
- Test plan
-
Release a very tightly scoped SecureDrop 1.3.0 or 1.2.1. That includes:
- Tor version update (only if we do 1.3.0)
- API performance improvements needed for client
https://docs.google.com/spreadsheets/d/13baMtJLTA55fXfJNY3frpXStVuBByuwbl_GFDp8nbOQ/edit#gid=0